Movatterモバイル変換

[0]ホーム
URL:

CodeQL documentation
CodeQL resources

Badly bounded write

ID: cpp/badly-bounded-writeKind: problemSecurity severity: 9.3Severity: errorPrecision: highTags:   - reliability   - security   - external/cwe/cwe-120   - external/cwe/cwe-787   - external/cwe/cwe-805Query suites:   - cpp-code-scanning.qls   - cpp-security-extended.qls   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

The program performs a buffer copy or write operation with an incorrect upper limit on the size of the copy. A sufficiently long input will overflow the target buffer. In addition to causing program instability, techniques exist which may allow an attacker to use this vulnerability to execute arbitrary code.

Recommendation

Use preprocessor defines to specify the size of buffers, and use the same defines as arguments tostrncpy,snprintf etc. This technique will ensure that buffer sizes are always specified correctly so that no overflow occurs.

Example

voidcongratulateUser(constchar*userName){charbuffer[80];// BAD: even though snprintf is used, this could overflow the buffer// because the size specified is too large.snprintf(buffer,256,"Congratulations, %s!",userName);MessageBox(hWnd,buffer,"New Message",MB_OK);}

In this example, the developer has usedsnprintf to control the maximum number of characters that can be written tobuffer. Unfortunately, perhaps due to modifications since the code was first written, a limited buffer overrun can still occur because the size argument tosnprintf is larger than the actual size of the buffer.

To fix the problem, either the second argument tosnprintf should be changed to 80, or the buffer extended to 256 characters. A further improvement is to use a preprocessor define so that the size is only specified in one place, potentially preventing future recurrence of this issue.

References

[8]ページ先頭
©2009-2025 Movatter.jp